Merge "Allow selinux type for accessing /vendor/etc/avf/microdroid" into main

commit: 8bdb620c354abf8cd17c95e6d815999396d1cef8 [log] [tgz]
author: Seungjae Yoo <seungjaeyoo@google.com> Fri Nov 17 02:23:30 2023 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Nov 17 02:23:30 2023 +0000
tree: 503fc9f7b33789d15560789f72db74cdbb60b046
parent: 172f9ebeddf8877fa63e705889f7d92ec5171909 [diff]
parent: 2b74c44a2a487f2080e7bb3394da5545f9b7da56 [diff]
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 24e5ed6..c62a6ef 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs

@@ -884,7 +884,7 @@
 /// Check that a file SELinux label is acceptable.
 ///
 /// We only want to allow code in a VM to be sourced from places that apps, and the
-/// system, do not have write access to.
+/// system or vendor, do not have write access to.
 ///
 /// Note that sepolicy must also grant read access for these types to both virtualization
 /// service and crosvm.
@@ -898,6 +898,7 @@
         | "staging_data_file" // updated/staged APEX images
         | "system_file" // immutable dm-verity protected partition
         | "virtualizationservice_data_file" // files created by VS / VirtMgr
+        | "vendor_microdroid_file" // immutable dm-verity protected partition (/vendor/etc/avf/microdroid/.*)
          => Ok(()),
         _ => bail!("Label {} is not allowed", context),
     }
commit	8bdb620c354abf8cd17c95e6d815999396d1cef8	[log] [tgz]
author	Seungjae Yoo <seungjaeyoo@google.com>	Fri Nov 17 02:23:30 2023 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Nov 17 02:23:30 2023 +0000
tree	503fc9f7b33789d15560789f72db74cdbb60b046
parent	172f9ebeddf8877fa63e705889f7d92ec5171909 [diff]
parent	2b74c44a2a487f2080e7bb3394da5545f9b7da56 [diff]